All Courses
Ultimate HTTP Warrior Ultimate DNS Warrior Ultimate Apache Web Server Warrior
Blog
About Contact

Qname Minimization

ultimate dns warrior Aug 07, 2025

 This article aims to explain inconsistencies in the subdomain delegation process which can get exposed by a specific setting found on modern Resolvers: Qname Minimization

 

 

In the above subdomain delegation setup the answer for www.staging.sydney.unw.com will depend on whether Qname Minimization is enabled or disabled on your Recursive Resolver.

 

With Qname Minimization Enabled: The answer will be:  10.6.6.6

When this feature is enabled the resolver sends only the next part of the label of the FQDN at every stage of iteration:

1st Query -->  com --> To the root NS
2nd Query --> unw.com --> To the com NS --> NS will send referral to ns1.unw.com
3rd Query --> sydney.unw.com --> To ns1.unw.com --> NS will send referral to ns1.sydney.unw.com
4th Query --> staging.sydney.unw.com --> To ns1.sydney.staging.com --> Will return nxdomain
5th Query --> www.staging.sydney.unw.com --> To ns1.sydney.staging.com --> NS will return 10.6.6.6

 

CloudFare's 1.1.1.1 has this feature enabled as of this writing and hence our DNS name will resolve to 10.6.6.6:  

 

With Qname Minimization Disabled: The answer will be:  10.7.7.7

When this setting is disabled the resolver sends the full FQDN at every stage of the iteration: 

1st Query -->  www.staging.sydney.unw.com --> To the root NS
2nd Query --> www.staging.sydney.unw.com --> To the com NS --> NS will send referral to ns1.unw.com
3rd Query --> www.staging.sydney.unw.com --> To ns1.unw.com --> NS will send the longest (best) matching referral to ns1.staging.sydney.unw.com
4th Query --> www.staging.sydney.unw.com --> To ns1.staging,sydney.staging.com --> Will return 10.7.7.7

 

Google's 8.8.8.8 has this feature disabled as of this writing and hence it will resolve this DNS name to 10.7.7.7:

  

The fix:

The fix is quite simple. Once a subdomain has been delegated, ensure not to create any records at the same level or below that level of hierarchy in the parent zone. All those records should go in the zone for the subdomain. 

Here is the simple and correct way of performing subdomain delegation: 

Note that the records for the subdomains sydney.unw.com and staging.sydney.unw.com are now inside the corresponding respective hosted zones instead of the parent hosted zone.

This will ensure consistent and predictable DNS resolution across all resolvers which may or may not have this feature enabled.

 

For more content please check out my Course on DNS and Bind.

 

Thank you for reading!

 

 

Categories

All Categories aws alb aws route 53 ultimate dns warrior

Comments

Stay connected with news and updates!

Join our mailing list to receive the latest news and updates from our team.
Don't worry, your information will not be shared.

We hate SPAM. We will never sell your information, for any reason.